Thursday, January 10, 2013

No Proof That Iran Is Behind U.S. Bank Attacks

A recent New York Times article reported that the U.S. government was convinced that the government of Iran was responsible for DDoS attacks against U.S. banks. No specific names of U.S. officials were mentioned which is troubling for several reasons:

Government policy makers and administration officials are generally not very astute about the complexities of cyber attacks, incident response, and attribution.

The article's authors failed to interview any of the multiple cyber security experts who disagree with the sources quoted and/or referred to in the article.

The reasons given by the Times' sources didn't exclude other possibilities besides the government of Iran.

Roel Schouwenberg, senior researcher at Kaspersky Labs (which identified several recent cyberattacks against Iran), didn't confirm or deny the attacks' origins. However, he doesn't believe the attacks are so complicated they must be the work of a government.

“We can confirm that the attacks being reported are happening; however, the malware being used, known as ItsOKNoProblemBro, is far from sophisticated," wrote Schouwenberg in an e-mail. "It's really rather simple. It’s also only one part of the puzzle but it seems to be effective, which is all that matters to the attackers. Going strictly by the publicly known technical details, we don't see enough evidence that would categorize this operation as something only a nation-state sponsored actor could pull off.”

Claudio Guarnieri, security researcher at Rapid7, agreed the complexity of the attacks is "disputable" and doesn't necessarily mean a government is behind them.

"The malicious code involved is effective but very simple," wrote Guarnieri. "The link with state-sponsored entities could be justified by the fact that there is no direct gain for the attackers besides the disruption of the targets' operations. However, considering that there is no obvious evidence and that it could potentially be the work of generic cybercriminals, it's hard to confirm it.”

The public statements made by this group sound more like an Anonymous operation than something run by paramilitary Basij members or the IRGC, who's responsible for Iran's offensive cyber operations. The group's announcement of an equation based on page views of the offending film to determine the duration of attacks against the banks is too clever by half to be an official strategy. And at least one announcement failed to use proper punctuation for the word "God" and "Prophet" when referring to Allah and Mohammad (the author used lower case "g" and "p" instead of capital letters):

"The table below shows the result of search for the movie that insulted the god, his prophet and Muslims:"

I can't imagine a devout Muslim forgetting to capitalize God or Prophet but remembering to capitalize Muslim. I can imagine that mistake being done by someone who was using religious outrage as a pretense to support a false flag operation with Iran as the victim.

Relations with Iran are already tense. What we don't need is an internationally respected newspaper like the New York Times adding fuel to the fire by putting their name behind a story that presents no evidence and no objective examination of the facts by actual authorities in threat research, forensics, and incident response. You guys can and should do a lot better.